Auditing Differential Privacy in the Black-Box Setting
Kaining Shi, Cong Ma
TL;DR
This work addresses auditing differential privacy in black-box settings by framing it as a hypothesis test under $f$-differential privacy, where a trade-off function $T(P,Q)$ characterizes the hardness of distinguishing outputs from neighboring datasets. It introduces CIPA, a conformal-inference–based auditing mechanism that reliably controls the Type I error in finite samples and explores the fundamental impossibility of achieving small Type II error without extra assumptions. Under a monotone likelihood ratio (MLR) condition, the authors show simultaneous control of both error types and extend the method to construct finite-sample confidence bands for the privacy trade-off function, including a lower-bound impossibility for distribution-free lower bands. The results provide practical, non-asymptotic tools for verifying privacy guarantees in proprietary DP mechanisms and clarify when stronger distributional assumptions are required for reliable auditing.
Abstract
This paper introduces a novel theoretical framework for auditing differential privacy (DP) in a black-box setting. Leveraging the concept of $f$-differential privacy, we explicitly define type I and type II errors and propose an auditing mechanism based on conformal inference. Our approach robustly controls the type I error rate under minimal assumptions. Furthermore, we establish a fundamental impossibility result, demonstrating the inherent difficulty of simultaneously controlling both type I and type II errors without additional assumptions. Nevertheless, under a monotone likelihood ratio (MLR) assumption, our auditing mechanism effectively controls both errors. We also extend our method to construct valid confidence bands for the trade-off function in the finite-sample regime.